spring-projects
Allow setting of shared secret (pepper) for password storage
Expected Behavior
When using the Password4j password encoders, I can optionally provide a shared secret/pepper that is then used as the pepper in the Password4j library (and therefore is not part of the stored hash value).
Current Behavior
Currently, it is not possible to use a shared secret pepper with Spring Security's default password encoders. To use a pepper, one must write a custom password encoder.
Context
We are building a system where we want a shared secret/pepper, as described in the OWASP Password Storage Cheat Sheet. Since logins are distributed across multiple devices, including offline devices, we would like to provide a shared secret/pepper to the application through another secure means so it can be used in the password storage process.
